From the 18th of May 2018 all countries in the European Union had to abide by the new General Data Protection Regulation (GDPR). This was approved by the European Parliament and Council and replaced the Data Protection Directive 95/46/ec. These regulations apply to everyone from small businesses to large enterprises handling personal data within the EU. GDPR also applies to anyone outside the EU who handles personal data of an EU resident.
What data do we hold?
In Ok Alone there are two kinds of users of the system. Workers, the people in the field whose safety is being monitored, use the app. Monitors, the people responsible for taking action on any alerts generated by Workers, use the browser based Dashboard, typically on a PC or Smartphone. The unique identifier of the Worker is an Ok Alone generated PIN.
Whilst it is best practice to use the worker’s name, it is not a requirement. Anonymised data like ID numbers, building names or team names can be used. Monitors need an email to login. That email does not need to be a work email or an email containing their name, although again, this is normal practice. For those who want alerts, an email and/or phone/cell number are necessary.
If scheduling is required, shift information is needed too. All other data is generated from within the Ok Alone system. In short, little if any client data is required to set-up Ok Alone, but most clients provide a name, email and phone number(s).
For what purpose do we hold the data?
Data, including location data, is stored so that any alerts related to worker safety can be resolved and reviewed. Data is also stored so there is a full audit trail of all actions carried out in the system.
How long do we hold the data?
There are 4 key aspects to data storage. First, the data relating to the workers and monitors. This is held whilst the account is open, but the addition and deletion of this data is controlled by you (the Company). Second, the location data of the workers is held for 30 days in the live database. Third, the transactional data about workers activity (i.e. start/end shifts, check-ins, help alerts, messages sent). This data is held for 1 year in the live database. Fourth, back-ups are taken regularly and held in storage outside of the main system. This data is held for extended periods of time due to legal requirements (i.e. The Occupational Health and Safety Regulation or the OHS provisions of the Workers Compensation Act.)
Union Wide Uniformity
The reason for the GDPR is to make sure there are uniform data security laws across all EU members. This means countries no longer have to write their own laws and ensures all laws are the same across the union. To read the full document click this link https://gdpr-info.eu/
The regulations were brought in to protect people’s personal data when they are online. The GDPR covers data collected about someone that could be used to identify them, this could include:
- Social Media Posts
- Email Addresses
- IP Addresses
- Personal Medical Information
- Phone Numbers
- Date of Birth
- Bank Details
- Passport Number
Any data that could be used to identify an individual, either a single piece, like a name, or many small pieces that add up to identify an individual need to be safeguarded.
There are seven principles of GDPR which are laid out in Article 5: ¹
- Lawfulness, Fairness and Transparency
- Purpose Limitation
- Data Minimisation
- Storage Limitation
- Integrity And Confidentiality (Security)
The only principle that was not included in previous regulations is ‘accountability’. This means companies need to prove they are compliant with the regulations, are documenting how their data is protected and that only people who need access to information can access it.
As the UK left the European Union, it introduced the UK GDPR to work alongside the Data Protection Act 2018 (DPA). The UK GDPR maintains the data protection standards of the GDPR and the same extraterritorial scope. Therefore, companies based outside the EEA who process UK resident’s data for the purposes of providing goods or services will have to comply with the standards set out in the UK GDPR. Any necessary decisions on the GDPR previously decided by the European Commission, will be transferred to the Secretary of State and/or the Information Commissioner. ²
GDPR/The Canadian Privacy Act and Ok Alone
The Data flow process and Data Storage
The servers used by Ok Alone are located in Canada and are subject to PIPEDA (Personal Information Protection and Electronic Documents Act). This ensures all data received from customers is kept securely.
Ok Alone does not share any data or information with other companies. In addition to the primary purposes, we are also legally obliged to share certain data with other public bodies and will do so where the law requires this; we will also generally comply with requests for specific information from other regulatory and law enforcement bodies where this is necessary and proportionate.
Data Access Information
Ok Alone takes data privacy very seriously, making sure internal access to customer’s personal data is on a need to know basis. All users with access to personal data have individual logins and standard industry security practices are maintained.
Ok Alone customers also have a great deal of control over which people internally see personal data. There are three levels of user access rights for the Monitors, each of which grants different access to personal data. Workers do not have access personal data. All interaction between Workers and the system occurs through an encrypted connection with the app. Combined, this ensures people’s data stays private.
Each person has the right to request deletion, updating, correction, or the full record of their data. To enable this, each Admin Monitor can add, edit, update and delete Worker’s personal information in the system. In the event that there is a particular element of data the Monitor cannot edit, update or delete, they can also email us at [email protected] to request data is removed from our systems.
GDPR requires processors to inform clients of any subprocessors they may have contact with. Here is a list of all subprocessors that Ok Alone is engaged with.
- Amazon Web Services
- Azure – Microsoft Corporation
- Google LLC
3 – https://gdpr-info.eu/art-5-gdpr/